Did NSA Know About the Heartbleed Bug? Reports Say Surveillance Discovered Virus in 2012
Since the announcement about the Heartbleed bug, the Internet has been in an uproar concerning the security flaw. Now, adding to the worries of every Internet user, is news that brings the NSA and Heartbleed together. If the allegations concerning the NSA are correct, then the security agency will have willfully withheld information that affected the Internet security of millions of Americans.
According to report released by Bloomberg News, the National Security Agency discovered the Heartbleed bug sometime in 2012. Early in that year, the flaw was introduced via an adjustment to the OpenSSL protocol. According to Heartbleed.com, a website launched to highlight the security breach, the bug has seriously affected of millions of Internet users.
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," states the site.
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software," the website adds. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users"
After discovering the flaw, Bloomberg reports that the NSA decided to keep it secret and exploit it for the sake of national security. Using this flaw, the NSA has reportedly been able to access passwords and other basic data that helps it mount its electronic defense. Their actions, however, were at the expense of two thirds of the world's Internet users, according to Bloomberg.
As part of its mission, NSA has looked for flaws such as this one to exploit, but following Edward Snowden's revelations, a presidential committee recommended the NSA should stop stockpiling said flaws.
"They actually have a process when they find this stuff that goes all the way up to the director [of the agency]," said James Lewis, a cybersecurity senior fellow at the Center for Strategic and International Studies. "They look at how likely it is that other guys have found it and might be using it, and they look at what's the risk to the country."
Lewis added that the NSA had options, including exploiting the flaw and then quietly contacting developers to fix it. Yet, this new development will not help soothe Americans' doubts of the security agency.
The NSA and the government denied the NSA's knowledge and usage of the Heartbleed flaw. According to Ars Technica, the statement emailed to them by a NSA spokeswoman reads,
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," a NSA spokeswoman told Ars Technica in a statement. "Reports that say otherwise are wrong."
"The Federal government was not aware of the recently identified vulnerability in OpenSSL until it was made public in a private sector cybersecurity report. The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. This Administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," the statement continues.
The NSA has been accused of much before, and this can only help to tarnish its reputation. Ars Technica adds that if the government did know about the flaw, it would have discovered it within days of the update's release, which coincides with Bloomberg's statement that the agency knew of the flaw for two years. Although it is not impossible, the possibility of the government knowing so quickly is uncertain since they would have been required to follow the program's development.
Subscribe to Latin Post!
Sign up for our free newsletter for the Latest coverage!